`
`Page 1 of 8
`
`STORAGE
`
`How iSCSI packets are encapsulated and how to protect iSCSI
`data traffic
`Scott Lowe answers some basic questions about iSCSI from TechRepublic readers.
`
`By Scott Lowe | in Data Center, February 29, 2012, 10:00 PM PST
`
`An astute TechRepublic reader followed up on a recent post about SAS, SATA and iSCSI
`storage arrays (http://www.techrepublic.com/blog/networking/how-sas-and-sata-fit-in-with-the-iscsi-
`array/5349) with some additional questions. Below are my answers to each one.
`
`When iSCSI is used, how is the data encapsulated on the Ethernet? In this case, a
`picture really is worth a thousand words, so take a look at Figure A below. In it, you can
`see that iSCSI operates on the Session layer — layer 5 — of the ISO OSI model. In order to
`be able to chat with other devices using iSCSI, the SCSI commands that are generated at
`the presentation layer ultimately need to make their way down to the physical layer. The
`diagram explains what happens at each layer.
`
`Figure A
`
`(https://tr1.cbsistatic.com/hub/i/2015/05/07/62f59b4e-f4a6-11e4-940f-14feb5cc3d2a/lowe_osi.jpg)
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.001
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 2 of 8
`
`A look how how iSCSI packets are encapsulated
`
`Is there any encryption or is this not an issue? If we have been hacked, can the iSCSI
`data flow be intercepted and used in any way, or is this a moot point because of the
`complexity of the data streams, particularly if there are multiple iSCSI initiators?
`On its own, iSCSI traffic is not encrypted, but that doesn't mean that it's impossible to
`protect iSCSI traffic from prying eyes. Many consider isolating iSCSI traffic to be a best
`practice. That means that the iSCSI traffic gets its own dedicated network - either using
`separate physical switches or a dedicated, non-routable VLAN - on which to operate. As
`mentioned, this network is not connected to any other.
`
`Most iSCSI systems also support the use of the Challenge Handshake Authentication
`Protocol (CHAP). By using CHAP, iSCSI initiators are forced to authenticate using the
`CHAP secret before they are granted access to the iSCSI target. In some cases, you can
`also configure an iSCSI target to respond only to initiators that have certain attributes,
`such as:
`
`• Specific iSCSI World Wide Name (WWN)
`• From a specific IP address
`
`If you want to encrypt the iSCSI traffic - the ultimate and best protection from snooping -
`you can implement IPSec for the iSCSI traffic. This
`
`(http://www.enterprisestorageforum.com/ipstorage/features/article.php/3304621/Storage-Basics-Securing-iSCSI-
`using-IPSec.htm) is a good article about that practice.
`
`In a virtualized environment, I'm assuming that each virtual server has its own iSCSI
`initiator loaded, or can it share a single instance on a single hardware server?
`When you're running systems in a virtual environment, such as under vSphere or Hyper-V,
`it's generally recommended that the hosting server - the actual vSphere or Hyper-V host -
`maintain the connections to the iSCSI storage. From there, the hypervisor handles what
`connects to the storage. It's common, for example, to place virtual machine files, including
`virtual machine hard drives, on the iSCSi storage. When this configuration is in place, the
`virtual machines themselves actually have no idea at all that they are using iSCSI storage.
`To them, it is just local storage.
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.002
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 3 of 8
`
`That said, it is possible to install an iSCSI initiator from inside a virtual machine and
`connect that virtual machine to a separate iSCSI target. When you do that, only that
`specific virtual machine will see the iSCSI connection that was established. Be aware,
`however, that doing this can introduce performance issues for that virtual machine since
`that virtual machine then needs to handle all of the encapsulation activities using its own
`virtual processors.
`
`It appears that inexpensive 10GbE switches and adapters are now on the horizon.
`When do you think 10GbE will be the standard?
`The implementation of 10 GbE networking equipment is becoming more and more
`common as prices come down. Larger organizations have been implementing 10 GbE gear
`at their cores for quite some time. This trend will continue down the spectrum as more
`SMBs find needs to implement ever faster networks. I believe that storage - both iSCSI and
`Fibre Channel over Ethernet () (FCoE) will drive this trend in the data center; storage
`performance has become an Achilles' Heel for many. If I had to guess, I'd say that 10 GbE
`will be the standard in data centers in the 2014 to 2015 time frame, at least for new
`implementations. It will still take some time to clear out legacy 1 GbE connections.
`
`About Scott Lowe
`
`Since 1994, Scott Lowe has been providing technology solutions to a variety of
`organizations. After spending 10 years in multiple CIO roles, Scott is now an independent
`consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...
`
`Recommended
`
`This game kills boredom once and for all!
`Vikings: Free Online Game
`
`Promoted Links
`
`by Taboola
`
`Do You Come From Royal Blood? Your Last Name May Tell You.
`Ancestry
`
`The Toothpaste That Large Companies Do Not Want You To Know About
`SF Gate | Livionex
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.003
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 4 of 8
`
`A $6 Linux computer that plays Doom: Could this tiny Chinese clone challenge the Raspberry Pi Zero?
`
`Raspberry Pi rival: Asus launches Tinker Board, faster, with 2X memory and 4k video
`
`Classic Windows on a $35 computer: How to fire up Windows 3.1, 95, 98 and XP on your Raspberry Pi
`
`WHITE PAPERS, WEBCASTS, AND DOWNLOADS
`
`Case Studies // From Nimble Storage
`
`Oxford Economics Report-Mind the Gap
`“Mind the Gap”, a survey of 3,000 IT Decision Makers and business users,
`reveals the impact of application performance delays on company
`performance and financial results. We term these issues the “App-Data Gap”.
`The survey was carried out by Oxford...
`
`DOWNLOAD NOW
`
`White Papers // From NetApp/SolidFire
`
`SolidFire Success Story: Internet Solutions
`
`READ MORE
`
`White Papers // From Nimble Storage
`
`Nimble Labs Report: Mapping the Demands of Real-World Apps - One IO at a Time
`
`White Papers // From Nimble Storage
`
`Achieving Flash Storage Nirvana
`
`White Papers // From Nimble Storage
`
`IDC Paper: AFA Vendor Profile
`
`DOWNLOAD NOW
`
`DOWNLOAD NOW
`
`DOWNLOAD NOW
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.004
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 5 of 8
`
`EDITOR'S PICKS
`
`Google Fiber 2.0 targets where it will stage its comeback, as AT&T Fiber prepares to go nuclear
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.005
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 6 of 8
`
`The truth about MooCs and bootcamps: Their biggest benefit isn't creating more coders
`
`How Mark Shuttleworth became the first African in space and launched a software revolution
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.006
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 7 of 8
`
`Inside Amazon's clickworker platform: How half a million people are paid pennies to train AI
`
`RECOMMENDED
`
`This game kills boredom once and for all!
`Vikings: Free Online Game
`
`Sponsored Links
`
`by Taboola
`
`Do You Come From Royal Blood? Your Last Name May Tell You.
`Ancestry
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.007
`
`DELL
`
`
`
`How iSCSI packets are encapsulated and how to protect iSCSI data traffic - TechRepublic
`
`Page 8 of 8
`
`Related Ads
`
`1 ESX Server
`
`2 Microsoft Virtualization
`
`3 ISCSI Storage
`
`4 VSphere Essentials
`
`5 VMware Workstation
`
`6 Certification Programs
`
`7 Recover Passwords
`
`8 Cloud Computing Companies
`
`Recommended Content:
`Calm or Crisis? Network Automation Makes the Differ
`Backing up configurations can save hours resolving a network crisis. Download a
`Manager to automatically manage layer 2 and 3 device backups and recover from
`
`http://www.techrepublic.com/blog/data-center/how-iscsi-packets-are-encapsulated-and-how...
`
`4/8/2017
`Ex.1068.008
`
`DELL
`
`